Smith College Information Security Risk Assessment Checklist This form contains a checklist for individual data handlers who are conducting an information security risk assessment of their work environment. The checklist is intended to provide you with options to consider in assessing information security risks. You and your department are encouraged to change, add, or delete specific and/or general items in the checklist to make the assessment more relevant to the specific environment and needs of your job or workplace. Please review the results of your assessment with your supervisor or manager. The ultimate goal of this process is for departments to develop plans and action items that will reduce their risk, help them align their business practices with risk management and compliance needs, and assist in evaluating a potential security breach event. Name: Location: Date: YES NO In summary, does the hard drive of your computer contain any legallyprotected personal information* or other classified information? If YES, please provide the following information: Desktop computers -> Ethernet computer identifier: Laptop computers -> Ethernet computer identifier: -> Wireless computer identifier: For instructions on finding your computer identifier(s), see: http://www.smith.edu/tara/security/computerid.html
For each item on the following checklist, please enter one of the following: Y = Yes N = No IP = In progress NA = Not applicable Overall Location Assessment: For each location Has this location been inspected for the presence of both physical and electronic classified information? Is any PI* data stored in this location? If yes, is there a continuing business need to keep the information in this location? If yes, is the location locked or monitored during normal business hours? If yes, is the location locked and/or monitored during non-business hours? If yes, can only authorized personnel access the location? If yes, is classified information stored in a secured enclosure? If no, is there a plan to move the information to an appropriate location? Or, is there a plan to securely remove or destroy the information? Physical Information Assessment: For any location in which classified information is stored or processed on physical media (e.g., paper, index cards, computer printout, etc.) Are there guidelines in place that specify who is granted access to classified information in this location? Is the information stored securely when not in use? Is there physical PI* data in this location? If yes, are there clear guidelines on how it is stored and accessed? If yes, are there clear guidelines for who is allowed to see or have copies of this information?
Electronic Information Assessment: For each computer you use in your location, please provide the following information. Computer type (Windows, Mac, other): Computer identifier (e.g., IP address, MAC address, or network name): Has the hard drive (C: drive) of this computer been scanned for PI* data using Identity Finder? Have all external devices used with this computer, including hard drives, thumb drives, and backup media, been scanned for PI* data using Identity Finder? Have you scanned your personal network drive (H: drive) for PI* data using Identity Finder? Did you find any PI* data? If yes, has the PI* data been reviewed with the relevant Data Custodian? If yes, have you decided what action to perform on the PI* data (e.g., shred, encrypt, scrub, move, or leave in place)? If yes, have all remediation steps been completed? Is any other classified information processed or maintained on this computer? If yes, has the data been reviewed by the relevant data custodian or their representative? Are any remediation steps required to ensure that only needed data is maintained? Are there clear guidelines in place for the storage and handling of the data?
Computer Security: Security considerations for all computer systems, including office desktops and laptops, that contain or process PI* data or other classified information Does the computer require a password on startup and wake from sleep mode? Does the computer have an idle timer set and a screen saver with password protection? Are system updates and security patch checks performed automatically by the system? Does the system have up-to-date virus and malware detection (e.g., McAfee VirusScan) installed? Are computer access passwords shared among several users? If yes, are there specific authorized user access controls for classified information? Are all files or folders containing confidential information protected by encryption or by at least two levels of passwords (e.g., workstation and network passwords)? Does the system have internal firewalls enabled and configured? Does the computer have a cable lock or other physical security protection? Does the computer have electrical surge or UPS protection? Is the computer used for other purposes not related to classified information? Laptops and Other Portable Devices: Additional considerations for laptop systems and other portable devices that contain or process PI* data or other classified information Are all files or folders containing PI* information encrypted? Do you carry and use a cable lock when traveling? Does your laptop have a lost/stolen system retrieval service installed (eg. CompuTrace)? For handheld devices, can the device be remotely wiped if lost or stolen? Are all removable storage devices stored in a secure location? Is there a procedure for securely destroying classified information from external storage? Is information about the laptop or other device recorded and maintained outside the device itself? If a laptop or other device is lost or stolen, it is very helpful to have its serial number, computer identifier(s), operating system type, and a list of files and folders containing classified information
Data backups: Security considerations for backed-up data Is important information on local drives backed up at regular intervals? Are the backups and backup media encrypted or stored in a secure location? Is there a defined retention period for backup media? Is there a procedure for securely destroying classified information from backup storage? Please enter any other comments or questions below: